Monday, January 25, 2010

XML Threat and Trust Modeling and Testing

Understanding XML Threat and Trust models enables SOA testing and QA professionals to build robust test suites that verify functional, performance, interoperability and security profiles of Web services.  SOA testing has to cover a XML identity tokens, XML signature generation and verification, and XML encryption-decryption to establish trust.  The test suites have to ensure that trust-based artifacts are scalable and interoperable.  In addition to testing such trust-based artifacts, SOA testers have to ensure that the web services have threat mitigation in place against threats such as SQL Injection, Denial of Service attacks and Malware threats over SOAP and XML traffic.

Here is an article published on XML Threat and Trust Models:

XML Security Trust and Threat Models for Dummies
— It is very rare today to find a business application that has not exposed its interface via SOAP/XML. XML is the building block that enables business or consumer applications to exchange data in a standard structured format. The exchange of XML data typically takes place through an SOAP/XML interface based on the Web Services standard or through the REST-based standard. These flexible standards that richly describe interface functions of an application also introduce a host of XML and Web Services security vulnerabilities. This article is a quick start guide to most common XML and Web Services security vulnerabilities and the two basic security models they follow.
Full Article: XML Security Trust and Threat Models for Dummies

Tuesday, January 19, 2010

Forum Systems joins Cloud Security Alliance

BOSTON--Forum Systems, a wholly owned subsidiary of Crosscheck Networks, Inc., today announced that it has joined the Cloud Security Alliance to help further the organization’s efforts in the areas of data security, privacy and integrity best practices. An early sponsor of the Cloud Security Alliance, Forum Systems recognized the fundamental need in providing security assurance within cloud computing environments. As a Cloud Security Alliance Corporate Member, Forum Systems advocates that enterprises must first establish secure XML, SOAP and REST-based transactions before implementing their cloud-based initiatives.

Read Full Description >>

Friday, January 15, 2010

Strategies for Securing Enterprise-to-Cloud Communication

Extending corporate boundaries to cloud infrastructure providers requires focused review of security practises used to integrate from the enterprise DMZ to external trading partners.  Here is an article that covers Enterprise-to-Cloud communications issues and how best to prepare from them.  SOA Testing and XML Gateway play an intergral part in ensuring that the security provisions are well tested and strictly enfored while interacting with cloud providers.

Strategies for Securing Enterprise-to-Cloud Communication
— The Cloud Security Alliance (CSA) published Version 2.1 of its Guidance for Critical Areas of Focus in Cloud Computing with a significant and comprehensive set of recommendations that enterprises should incorporate within their security best practices if they are to use cloud computing in a meaningful way. The Guidance provides broad recommendations on operational security concerns including application security, encryption & key management, and identity & access management. In this article, we will consider security implications of REST- and SOAP-based communication between consumers and specifically, Infrastructure as a Service (IaaS) providers.

Thursday, January 07, 2010

Federated SOA impacts SOA Testing

Comprehensive SOA testing, using commercial and mature products such as SOAPSonar from Crosscheck Networks, is critical for companies as they expand beyond their localized SOA domains and integrate with SaaS, PaaS, and IaaS providers to build a Federated SOA.  Here's an article that highlights the relationship between Federated SOA and Cloud Computing.

Federated SOA: A Pre-requisite for Enterprise Cloud Computing
— Successful enterprise SOA implementations build on a set of localized, project-level efforts with services that have clearly identified and accountable business and technology owners. Ownerships defines a SOA Domain. SOA domains may exist within corporate boundaries or may be provided as services by third parties. Deciding what services are core to a business owner and should be implemented within her/his domain versus consumed from another SOA domain becomes a critical part of building Federated SOA. Understanding core capabilities provided by SOA domains is a crucial task at the enterprise-level for encouraging efficiency through re-use and for keeping focus on core business services.

As SOA domains mature, key issues arise in enabling "SOA Domain Jumping," -- easily and rapidly integrating with other SOA domains. Here are the top three Federated SOA requirements that corporations must first address before embarking on a meaningful and sustained cloud computing deployment.

Monday, January 04, 2010

Hidden Cost of Open Source SOA Testing Tools

Here is an interesting article that appeared on sys-con regarding the hidden costs associated with using open source frameworks for SOA Testing.  Corporate business process security, interoperability and scalability may depend on the kind of tools one chooses for testing services and may significantly contribute to the overall success a company's ability to safely add a growing number of business partners to its ecosystem.

Hidden Cost of Open Source SOA Testing
— Adopting an open source tool for SOA testing seems the simplest, most cost effective choice for developers and testers early on. However, you should plan and consider the implications of a longer term strategy with an open source testing tool. There are many aspects of service testing that contribute to a comprehensive solution across the SOA life cycle. Adopting a specialized tool for service testing is essential and will provide value, but may prove limiting if the adoption of the testing tool becomes something that can not grow with the business and maturity of your SOA strategy. This article will discuss some topics to consider before jumping headlong into an open source free testing solution for your production services.

Friday, January 01, 2010

Service virtualization and its effect on SOA Testing

The is article discusses the advantages of using service virtualization whereby, in the simplest case, you may import a number of WSDLs, aggregate them and then expose them via and XML Gateway, such as Forum Sentry, based on the credential presented.  The impact of service virtualization on SOA testing is significant:

  • Remote services have to be tested independently.
  • Aggregated WSDL need to be tested.
  • User specific WSDLs generated by the Cloud/XML gateway have to tested.
  • The difference between gateway-generated services has to be reconciled with the remote services.
  • Identity tokens have to be generated for both remote services as well as the gateway to ensuring that the right authentication and authorization decisions are being enforced on the gateway.
References:
  1. Virtues of Service Virtualization in a Cloud
  2. XML Gateway:  Forum Systems